Add default timeout to legacy ssh.ClientConfig (#15440)

* Add default timeout to legacy ssh.ClientConfig When using the deprecated Dynamic SSH Keys method, Vault will make an outbound SSH connection to an arbitrary remote host to place SSH keys. We now set a timeout of 1 minute for this connection. It is strongly recommended consumers of this SSH secrets engine feature migrate to the more secure, and otherwise equivalent, SSH certificates method. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2025-10-29 17:52:32 +00:00 · 2022-05-16 12:36:47 -04:00
parent 6ad948f012
commit 2481dbb417
2 changed files with 4 additions and 0 deletions
--- a/builtin/logical/ssh/util.go
+++ b/builtin/logical/ssh/util.go
@@ -171,6 +171,7 @@ func createSSHComm(logger log.Logger, username, ip string, port int, hostkey str
 			ssh.PublicKeys(signer),
 		},
 		HostKeyCallback: insecureIgnoreHostWarning(logger),
+		Timeout:         1 * time.Minute,
 	}

 	connfunc := func() (net.Conn, error) {
--- a/changelog/15440.txt
+++ b/changelog/15440.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+secrets/ssh: Add connection timeout of 1 minute for outbound SSH connection in deprecated Dynamic SSH Keys mode.
+```